Does any manufacturer produce a compact camera which has the ability to securely delete pictures from the memory card? Or, failing that, have a format feature which really blanks the card rather than just deleting the FAT?

I work for a healthcare organization and we're trying to find the easiest way to wipe photos of patients after they have been transferred to our network.

I'm aware that we can load the memory into a PC and wipe it there, but I'd like to find something built in, for convenience.

Cameras and PC software can't offer truly secure deletion on flash devices because of the way those devices manage the memory where the data is actually stored. (See this question on StackOverflow for a slightly more detailed explanation.) If your local regulations require erasure to the point where there's absolutely no trace of the information left anywhere on the media, you will probably have to resort to buying inexpensive, low-capacity devices and physically destroying them after each patient.
–
BlrflDec 7 '12 at 19:55

2

But couldn't you just fill the card up after "deleting" the images?
–
Paul CezanneDec 7 '12 at 21:23

2

@PaulCezanne: Depends on how the wear leveling algorithm in the card works. The only practical, 100% safe possibilities are physical destruction and using cards that implement the ATA secure erase operation. Hard disks and some SSDs implement the latter; I've never seen a flash card or USB stick that did.
–
BlrflDec 8 '12 at 14:12

3

I would recommend a two-stage process. Erase images in the normal way once you have uploaded them to the network, but also treat all SD cards that have been used for this as if they were hardcopy patient records - keep them locked up when they are not in use, use tracking numbers so they don't get lost etc. The first will prevent casual browsers from finding pictures and the second will prevent determined violators.
–
DJClayworthDec 10 '12 at 19:15

1

@BillN - Most likely the pictures will be transferred from outside the network i.e. from a laptop via VPN. We've discussed the possibility of wiping cards after they are in the laptop, or the camera is mounted over USB, but it would need to be a very easy to use process as this will be done by non-technical staff. Hence my hope to find a camera with a secure delete option; it would be simplest of all.
–
ChrisDec 12 '12 at 13:10

11 Answers
11

The closest you could get is to have a secure (encrypted) card so that the contents were scrambled to those who don't have the password.

Lexar produced a CF card range called LockTight, which offered encryption in combination with the Nikon D200 although I've seen nothing new on it in a few years.

I haven't heard much if anything about the technology for a few years but it's a starting point.

Edit: I should have mentioned that the encryption mechanism happens within the card rather than in camera/computer - which means the key management is not subject to the usual forensic recovery techniques which come about as a result of wear levelling.

I noticed this when I posted an answer involving the locktight card on another question a few of days ago. It just blocks the card's access until the passphrase was entered. So while not technically encryption, locking the card in this way would still be sufficient for the needs of this situation since the card it would be unlikely to be under any kind of well resourced or sustained attack. I can edit to clarify if you like, matt?
–
James SnellFeb 2 '13 at 15:45

This sounds like it's private medical information: pictures of patients. I think more protection than this is likely required. Speculation on Scheier's blog is that an attack would be as simple as swapping the flash chips into a normal CF card.
–
mattdmFeb 2 '13 at 16:00

I see where he's getting at as it's just locking out the controller based on a password/hash you could bypass the controller, assuming it's not baked into the chip(s). I figure to remove and install the chips elsewhere requires a surface mount device workstation as a minimum, making the attack well resourced and highly targeted. In those situations a card like this is very unlikely to be the weakest link in the chain and that simpler attack vectors would be more effective and cheaper.
–
James SnellFeb 2 '13 at 17:16

Maybe you can take a look at Eye fi SD card ( http://www.eye.fi/ )
It's an SD card that ransfer the captured image in real time on the computer via a WiFi network. I never used one: you can check if it's possible to transfer the images without storing them in the memory of the SD card.UPDATE: @Chris already own an Eye fi card, and it seem that this solution is not possilbe

Find a camera that have integrated support for WiFi image transfer, AND can take photos without a memory card

you can look in the "alternative firmware" world (CHDK come to mind http://chdk.wikia.com/wiki/CHDK) and ask if someone want to develop a "secure erase/overwrite" function, or maybe you can develop you own with some kind of scripting... (I don't know it's possible, but maybe you want to check out)

I have a Eye Fi card and I don't think it transfers without storing first (unless newer models/updates allow this). However, this wouldn't be an option as they will rarely have wifi access when taking pictures. Interesting idea though! I'll have to look into chdk and see what scope that offers.
–
ChrisDec 12 '12 at 12:55

While you can't do a secure delete on an SD card (as the card decides where a file goes and not the OS or device) you could store the files in an encrypted volume on the card which is then useless if recovered?
–
James SnellMar 10 '14 at 14:11

I suspect that such a system does not exist. At one time Canon produced a system for its Pro cameras to ensure that images taken on the camera were authentic and not retouched, however, this system was proven to be inadequate and subsequently easily cracked. As a result, Canon no longer produces the system.

I suspect that deletion or even secure deletion will never be adequate, as it is not adequate for computer hard drives. With enough time and money, files are easily recovered from most media. In-camera Encryption would likely be the preferred route, but I suspect this would require a significant step up in processor power on the camera (hence the 'security' system Canon provided which was an encryption dongle for the camera), and therefore expense. I know of no system that provides encryption of the card.

I would recommend that you 1) simply reformat the card following each use, making it part of the training for camera users, and 2) since this is technically inadequate, treat the card (or card and camera for convenience) as a form of PHI, and secure it in the same manner you do other sources of PHI.

While not specifically a camera, what about an iPod Touch or iPhone? Both offer hardware encryption, passwords, remote wipe and other mobile device management options. You could use configuration tools to lock it down to just the camera app and if something does go awry you could remotely wipe it (or maybe even locate it!).

Users would plug in the device to a computer, enter a password and download the photos.

I too work in healthcare and have been pondering a solution for handling photos of our burn victims. Taking a photo and storing in securely is a much better experience than having to wrap and unwrap bandages.

Most cameras (if not all) uses the same chip, or a variation of it, to handle the FAT-file system as this makes it cheaper to implement support for cards and so on.

The drawback security-wise, is that they all offer the same functionality. Deleting a file only deletes the header of the file and such the file can easily be reconstructed.

Simply full-formatting the card helps, but with forensic techniques it is possible to get those data back (picking up and amplifying weak electric/magnetic residue). With quick-format only the file table is cleared, content is left untouched.

So what you can do to achieve high security with a common camera is the following:

After you have transferring the pictures use the following procedure:

Format the card (important: full format, not quick).

Turn off flash and take as many pictures you can to fill up the card. Point the camera to the sky f.ex. This is to overwrite the old left-over traces with "noise".

Re-format again with full format

And repeat once more (or twice) to be sure.

This technique is basically what file "shredders" do, only here you do it manually. It's somewhat time-consuming but offer good data security in terms of ability to restore data from the card.

Cameras and PC software can't offer truly secure deletion on flash devices because of the way those devices manage the memory where the data is actually stored. (See this question on StackOverflow for a slightly more detailed explanation.)

If your local regulations require erasure to the point where there's absolutely no trace of the information left anywhere on the media, you will probably have to resort to buying inexpensive, low-capacity devices and physically destroying them after each patient.

For anyone who's interested: we ended up using Panasonic Lumix cameras with pictures stored on the internal memory instead of an SD card. The image files are transfer over VPN to a network share and then securely deleted; this is all done with a batch file the users can just click on.
Blrfl's answer about whether secure deletion is even viable is well taken, but we figure it's about the best we can do and the fact that the memory is internal probably helps here.

The more nodes you bring into the chain of transfer the weaker your security becomes. When thinking of the deleting of the images on a SD or CF card I can think of two simple methods to achieve this:

A) The camera can format a card which erases the contents of the card. However, some 'Format' options in a camera only tell a card it's empty, to allow the data to be overwritten, and do not in fact actually overwrite the card itself.

In this case I would suggest a camera that can be set to take images with a built-in intervalometer and once you have transferred the images you overwrite the card by 'formatting' it and the take images of something (or with lens cap on) until the card is full, there by over-writing the data. Now you can 'format' it again.

B) Some cameras will actually overwrite the data during formatting, but that you would have to research.

C) Only buy smaller, cheaper cards and physically destroy them after you no longer use them. With card prices for smaller cards dropping even further this may actually be affordable, depending on how often you would need to exchange those cards.

D) Canon cameras have additional firmware available written by a developer community. In some canon models (and others) software is actually not replacing the camera firmware but augmenting it. This would NOT void your warranty and, as explained above, may add that functionality to the camera's features. However be aware that if you have multiple people using that camera you may have to train them, as it isn't particularly easy to use in some cases.

If security is of top concern I would caution against any networked or mobile phone software as the camera's operating system as you will have to harden those points of entry for the potential security breaches.

From answers to this question, it would appear that some Canon cameras can perform a 'Low Level Format' on SD memory cards, and that this will write data to the whole card (i.e. overwriting the free space).

It's only available for formatting (not deleting individual photos), and only on some cameras, and only on their SD cards (e.g. Canon 5D Mark III only offers it for the SD slot, not the CF slot).

It's a feature I thought was only on the DSLR range, but it appears several (if not all?) Canon PowerShot cameras can do it, so would expect to find it on a few other compact Canon cameras (perhaps even other vendors). For example, S110, SX280HS, even the rather old A550, so I suspect most Canon cameras with SD cards will support it.

Also worth noting, according to this discussion thread, that some cameras' low level format doesn't seem to securely erase as expected. One user found images could be recovered after performing a low level format with their 450D, but not with their 70D. It's an internet discussion forum, so take with appropriate levels of salt, and definitely test any secure erase/low level formatting thoroughly before you rely on it!

Finally, as various others have commented, if you truly need secure erasing, then there's nothing better than physical destruction of the card. I certainly wouldn't guarantee (even with thorough testing) that a low level format will properly wipe the card. It may be good enough for most purposes, but you still have risks (like the chance some sectors don't get erased, perhaps quite deterministically, and the likelihood of a user forgetting to check the 'Low Level Format' option). You could talk to Canon about how Low Level Format works at a technical level, and if there's any guarantees on it wiping the data. Otherwise consider using small/cheap SD cards and considering them as disposable (with an appropriate protocol to ensure destruction).

Thinking a little outside the box... rather than a compact camera, have you considered using an iPhone or iPod Touch for your cameras? (Specifically iPhone 4S or higher / iPod Touch 5th Gen 32GB or higher models)

Since the iPhone 3Gs and (I think) iPod Touch 3rd gen, the contents of the built-in flash is encrypted, so a factory reset will securely wipe any traces of photos on there. Even simply deleting them on such a device will make them very difficult to recover since the flash is non-removable—a common complaint, but a potentially useful security feature.

There's some enterprise software to manage devices, which may even make it easy to ensure users are following the protocol properly, track/wipe lost devices, manage any additional software/resources (e.g. you could include training material, instructions, or useful apps).

The cameras are reasonable quality, as good as a cheap compact. iPhones since the 4S have an 8MP camera, the iPod Touch 5th gen (32/64GB models—NOT the 16GB) have a 5MP camera. They can focus quite close for semi-macro shots, are very easy to use, have a basic built-in flash, and generally work okay in reasonable lighting.

The downsides compared to a compact are they cost a bit more than the cheapest compacts, no spare/removable batteries, no zoom (though unlikely a big deal for your use), and low-light/high-ISO performance won't be as good as recent compacts.

I hadn't looked into the specifics of how the iPhone stores or deletes photos, but I had been advocating for iPhones (or similar) for other reasons e.g. email, sms, mobile hotspot, etc. however cost was the prohibiting factor. It might be worth revisiting, though we'd need to be sure that we could lock down access to the photos and prevent emailing and texting of them, except by secure means. As a camera, they would certainly be good enough.
–
ChrisMar 13 '14 at 14:41

Have a look into their mobile device management business software. I suspect you can lock the phone down (akin to parental controls) in a business-appropriate way (or maybe just use parental controls directly). See their business IT management page.
–
drfrogsplatMar 15 '14 at 12:54